Below is the Cloud Legal Project's response to the European Commission's Cloud Computing Consultation, submitted on 30 August 2011.
1. Are you responding for a Company?
5. Are you a Public Administration?
9. If you are not a company nor a public administration, are you
11. If you are a user of cloud services: Please describe your current use of cloud computing. What kind of problems do you encounter when using cloud computing solutions in the EU? Elsewhere?
This response is by Prof Christopher Millard, Prof Ian Walden and W Kuan Hon, Cloud Legal Project (http://cloudlegalproject.org), Centre for Commercial Law Studies, Queen Mary, University of London. The Cloud Legal Project team comprises Prof Christopher Millard, Prof Chris Reed, Prof Ian Walden, Dr Julia Hörnle, W Kuan Hon and Simon Bradshaw. We are researchers investigating legal issues in cloud computing. We also use cloud computing (mainly SaaS eg webmail, Office Live, Google Apps, Facebook, LinkedIn etc) in the course of our work and personal lives. Please see below for our views on problems for users in cloud computing.
1. Do you feel that in the cloud service you are currently using or have been evaluating (or are providing), the rights and responsibilities of both user and provider are clear?
2. Please comment.
On the basis of a survey we conducted of 31 sets of US and European cloud providers’ online standard contractual terms and conditions (see http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374, summarised in http://www.brookings.edu/papers/2011/03_cloud_computing_contracts.aspx), the majority of contracts favour the provider, in some cases to the extent of risking being unenforceable, especially against consumers and small/medium sized enterprises (SMEs) under laws such as those implementing Council Directive 93/13/EEC on unfair terms in consumer contracts. Furthermore, cloud providers reserve the right to, and do, from time to time change their standard terms, seemingly without adequate or any notice to users, who are forced to attempt to compare the terms to see what the changes are (assuming they have saved a copy of the previous version(s)). Terms published online may or may not indicate their date of issue, and even if updated may not necessarily indicate on their face that they have been changed, let alone which terms have been changed and in what way. Other summaries of this research are listed at http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/37188.html - this research is to be updated, and we are currently also researching negotiated cloud contracts via interviews with cloud providers and users and analysis of published negotiated cloud contracts and contracts obtained through freedom of information requests.
3. Are you aware of the applicable jurisdiction in different types of disputes that could arise during your provision or use (or potential future use) of specific cloud offerings?
4. Is there an alternative approach to the determination of jurisdiction that may work better both for users and providers?
5. If yes, please comment.
Regarding q. 3, we have not answered Yes or No because as lawyers we are personally aware of applicable law and jurisdiction issues, but we believe that most users will not read cloud providers’ standard terms and so may not be aware of the stipulated applicable law or jurisdiction. Applicable law and jurisdiction are separate issues which both have implications for consumers and need to be addressed, with applicable law being more fundamental. There is particular uncertainty in relation to the applicability of EU data protection laws to non-EU entities. Within the EU, applicable law/jurisdiction should generally be based on the cloud provider’s country of origin (with consideration of exceptions for consumers etc). For non-EU cloud providers, it should be based on a ‘directed to’ test, akin to the test under Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matter and the European Court of Justice’s Decision in Pammer v Schlüter (2010)). Directive 2000/31/EC on electronic commerce, Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and Regulation (EC) No 593/2008 of the European Parliament and of the Council of 17 June 2008 on the law applicable to contractual obligations provide useful models. However, it is important for legal certainty that the criteria for determining when a cloud provider is to be considered ‘established’ in the EU for these (and other) purposes should be clear, and harmonised across the EU.
7. Do you feel that the question of liability in cross-border situations is clear for cloud users and cloud providers?
Cloud providers’ standard terms tend to exclude or restrict liability, generally due to the low margin, commoditised, shared-resources nature of their services. There is a lack of clarity for cloud users as to the identities of the entities providing the services or components on which their cloud service depends, due to the layering of services and multitude of types of players – eg, customers of storage service Dropbox view it as providing SaaS, but Dropbox uses Amazon’s IaaS service to provide its own services, so its SaaS is layered on IaaS. Furthermore, PaaS may be layered on IaaS, and SaaS may be layered on PaaS or IaaS. So, for example, PaaS service Heroku is based on Amazon's EC2 IaaS. Please see http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1783577 pgs 6-7. Awareness amongst consumer and SME cloud users needs to be raised so that they can take measures eg to backup data elsewhere, and/or to attempt to negotiate more favourable terms, provided they have the bargaining power to do so (which many may not).For details please see http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1662374.
1. Do you think there are updates to the current EU Data Protection Directive that could further facilitate Cloud Computing while preserving the level of protection?
2. If yes, please describe.
Anonymisation, pseudonymisation and encryption procedures - clarify position to encourage their use as privacy enhancing techniques for cloud data. Encrypted data - consider providing explicitly that data encrypted and secured to industry standards are not 'personal data' and may be ‘processed' freely by those without the decryption key. Anonymised data – clarify when anonymisation may produce non-'personal data', based on ‘more likely than not’ identification. Accountability – consider moving to a more nuanced, proportionate and flexible regime, with end-to-end accountability rather than a binary 'controller/processor' distinction, applying data protection obligations based on risk of harm and its likely severity, with appropriate exemptions. Sensitive data – consider similar ‘risk of harm’ approach. Personal data manifestly made public – clarify position for both non-sensitive and sensitive data, eg applying fewer data protection rules. Pure infrastructure cloud providers – clarify status of Infrastructure as a Service, Platform as a Service and utility storage Software as a Service providers. Eg consider extending the E Commerce Directive to exempt such infrastructure cloud providers from data protection law obligations, unless and until they lose immunity through having the requisite knowledge and/or control. For details: ‘The Problem of 'Personal Data' in Cloud Computing - What Information is Regulated?’ and ‘Who is Responsible for 'Personal Data' in Cloud Computing?’, at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1783577 and http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1794130 (summaries are at http://blogs.computerworlduk.com/cloud-vision/2011/04/data-protection-the-law-and-you-1/index.htm and http://blogs.computerworlduk.com/cloud-vision/2011/05/whos-responsible-for-personal-data-in-cloud-computing/index.htm). Data protection jurisdiction, and international data transfers – please see below.
3. Are you aware of specifics in Member States data protection rules, or other legislation, that prevent you from using/providing cloud services within the EU?
4. If yes, please detail.
Uncertainties in EU data protection law jurisdiction may discourage building and/or use of EU data centres (which may be ‘establishments’ or ‘equipment’) for cloud computing. Eg if an EU company runs an EU data centre providing a private cloud for a non-EU third party T with no other EU presence, or T uses a cloud provider with EU data centres, does T have an EU ‘establishment’? The uncertainties may also discourage non-EU cloud users from using EU cloud providers even for non-EU purposes. See eg CNIL’s relaxations http://www.cnil.fr/english/news-and-events/news/article/cnil-facilitates-the-use-of-outsourcing-services-performed-in-france-on-behalf-of-non-european-compa/ made so as not to hamper French cloud providers’ development. Lack of harmonised data protection laws, notably on security requirements, may also affect the ability to use data centres in multiple EU Member States for cloud computing. Instead of establishment/context and use of equipment/means, data protection jurisdiction might be based on country of origin within the EU, and targeting for non-EU providers. Criteria to determine country of origin and targeting should be clear and harmonised. If retained, the concepts of ‘establishment’, ‘context’ and ‘means’ need clarification, particularly to address use of EU data centres (including ‘lights out’ data centres) for providing or using cloud computing services, whether directly or indirectly through layers of service providers. Restrictions on exporting personal data no longer seem appropriate. The focus should be on accountability and security, particularly who can access data in intelligible form. If data are strongly-encrypted, they will be secure even if stored outside the EU. Conversely, storage in the EU does not guarantee security: a non-EU cloud provider, if it can access a user’s account to reunify data fragments, has the technical ability to disclose data where unencrypted, eg if so required by non-EU laws. We are preparing papers on these.
5. From your perspective, would it be useful if model Service Level Agreements or End User Agreements existed for cloud services so that certain basic terms and conditions could easily be incorporated into the contractual agreements?
6. If no, why not?
This would be problematic, in our view. The cloud ecosystem is very complex, with many different types and layers of services and actors, is too immature, and is still developing. Please see our answer to “Clouds for Users” question 8, and http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1783577 pgs 6-7. Rather than stipulating the text of the terms themselves, if certain matters are considered critical the Commission may wish to consider stipulating requirements as to specific issues or types of issues, as is already in train in the personal data context in relation eg to data portability and data breach notifications. We are currently researching negotiated cloud contracts through interviews with both providers and users.
1. Please describe interoperability or (data) portability issues you have encountered when using/providing cloud service or are otherwise aware of:
Inappropriate, pre-emptive interference in the functioning of the market for cloud services runs the risk of undermining current growth, but, equally, the non-applicability of competition law until dominance is attained could prejudice the goals of competition law in the cloud computing sector where, as in the ICT sector as a whole, network effects are likely to be strong. By the time a competition authority has legal grounds to intervene, competition may already be distorted and network effects may make it difficult for effective competition to be restored. The definition of the market will therefore be critical, and other methods such as public procurement (see below) may assume greater significance. The plans to require data portability for data protection law purposes should also assist in this context, although they apply only to ‘personal data’ as defined. Please see for further details ‘Ensuring Competition in the Clouds: The Role of Competition Law?’ http://www.cloudlegal.ccls.qmul.ac.uk/Research/researchpapers/48338.html.
2. Which existing or emerging standards support interoperability across clouds and portability of data (from one cloud to another)?
Given the current lack of formal standards, emerging industry practices and initiatives such as by Microsoft (http://www.microsoft.com/cloud/interop/) and Google (Data Liberation Front) provide possible self-regulatory models to facilitate interoperability and data portability.
1. What can the public sector do as a cloud user to support the emergence of best practices?
Governments can influence emerging systems by their ability to ‘try and buy’. Although many governments have declared their enthusiasm for cloud computing, they do not always appear to have followed this through in practice. As a cloud user, the public sector can use its power to ‘try’ and ‘buy’ cloud services in order to prototype and foster models, eg community clouds, and encourage the adoption of open and transparent standards and best practices particularly in security and privacy, eg in requirements specifications. It is therefore important for public procurement policy to be harmonised within the EU, particularly in relation to standards (including as regards licensing of any intellectual property rights involved) and interoperability. Please see the paper referred to under Interoperability, above. Transparency is also important. The public sector may also assist the development of market-friendly contract terms and standards by being proactive in publishing public sector cloud contracts and detailed specifications (particularly on security) in a timely manner, as well as being more receptive to freedom of information requests for such information. However, care should be taken that public procurement choices made by public administrations do not result in the distortion of competition.
2. Please elaborate in particular on public procurement of cloud services
See 1 above.
3. In particular, can the deployment of eGovernment and eScience infrastructures by the public sector act as an example of other sectors?
Yes, see 1 above.
4. Please list Member State initiatives in the area of Cloud Computing that you are aware of.
The UK is progressing its GCloud programme (one of our team is participating in the GCloud Commercial Workstream). Individual public authorities show increasing interest in cloud computing, as evidenced by the growing number of tender documents in the last year stipulating for or expressly entertaining the possible use of cloud computing solutions. For some recent examples, please see collaborations eg local authorities http://ted.europa.eu/udl?uri=TED:NOTICE:352076-2010:TEXT:EN:HTML&tabId=1 and Irish universities http://www.tendersdirect.co.uk/Search/Tenders/Expired.aspx?ID= 000000003353737§=S068http://www.tendersdirect.co.uk/Search/Tenders/Expired.aspx?ID=%20000000003353737§=S068 and specific authorities’ initiatives such as Sheffield University http://ted.europa.eu/udl?uri=TED:NOTICE:235251-2011:TEXT:EN:HTML&src=0 South Dublin County Council http://www.etenders.gov.ie/Search/show/Search_View.aspx?ID=JUL158215 UK Food Standards Agency http://ted.europa.eu/udl?uri=TED:NOTICE:187466-2011:TEXT:EN:HTML Derby City Council http://ted.europa.eu/udl?uri=TED:NOTICE:174104-2011:TEXT:EN:HTML&tabId=1 Essex County Council http://ted.europa.eu/udl?uri=TED:NOTICE:204239-2011:TEXT:EN:HTML and Cambridge University Hospitals NHS Foundation Trust http://ted.europa.eu/udl?uri=TED:NOTICE:112420-2011:TEXT:EN:HTML.
5. Do you think they are: adequate; go too far; not far enough?
6. Please elaborate.
We do not have enough information yet to make an assessment, and indeed most initiatives do not seem far enough progressed also. We will however be analysing some negotiated cloud contracts, including public sector contracts, and publishing the results.
1. Which are the most important technical aspects of cloud computing that researchers are currently working on? Please explain the importance of each concrete example.
Homomorphic encryption, whereby encrypted data may be operated on securely without needing to decrypt it. It is not currently fast enough for practical use but would contribute greatly to secure storage and secure computation in the cloud, and research continues in this field. See eg http://domino.research.ibm.com/comm/research_projects.nsf/pages/security.homoenc.html and http://research.microsoft.com/en-us/projects/cryptocloud/. Privacy by design needs to be incorporated into cloud computing systems. Secure identity management systems will also be more important in the cloud environment due to the increased role of access control and authorisations. The development of standards generally is crucial; there are many efforts to do so currently.
1. What are the most important cloud computing problems that have to be discussed at global level? Please list and explain.
In terms of legal issues: Data protection law issues. Access to cloud data by law enforcement authorities and in the context of disputes or investigations. Contractual issues such as risk allocation and consumer protection issues. Intellectual property, ownership of data stored or generated in the cloud and proprietary rights – please see http://ssrn.com/abstract=1562461
2. Which would be the right fora/approach to tackle them? Please expand.
Given the complex and rapidly evolving nature of the cloud ecosystem and market, government and legislative solutions will need to be approached carefully, in terms of both timing and content, while self-regulation and self-governance, which can be more agile, will also have an important role to play. Industry needs to step up and develop standards regarding eg cloud security and interoperability, and there is evidence of several initiatives already proceeding on these fronts.